Upload
others
View
6
Download
0
Embed Size (px)
Citation preview
3/3/2017
1
www.pwc.com
Medical device security –The transition from patient privacy to patient safety
Scott Erven
PwC | Medical device security – The transition from patient privacy to patient safety
Who i am
2
Scott Erven - Managing Director – Healthcare Industries Advisory – Cybersecurity & Privacy
Medical Device Security Lead For PwC
Over 5 Years Leading Medical Device Security Research
Over 15 Years IT Security Experience
Over 5 Years Managing Security For Healthcare Systems & Providers
PwC | Medical device security – The transition from patient privacy to patient safety
What we’ll be covering today
3
Why medical device security matters.
Vulnerabilities inside the medical device security landscape.
Are attacks a reality?
Diagnosis and problem awareness.4
1
2
3
Treatment plans.5
3/3/2017
2
PwC | Medical device security – The transition from patient privacy to patient safety
Why medical device security matters
4
PwC | Medical device security – The transition from patient privacy to patient safety
Personal impact
5
When we are at our most vulnerable, we will depend on these devices for life.
Even at times when we aren’t personally affected, people we care about may be.
Many of us rely on thesedevices daily.
PwC | Medical device security – The transition from patient privacy to patient safety
Malicious intent is not a prerequisite to patient safety issues
6
3/3/2017
3
PwC | Medical device security – The transition from patient privacy to patient safety
Research – Device vulnerabilities
7
PwC | Medical device security – The transition from patient privacy to patient safety
Device vulnerabilities
8
Weak default/hardcoded administrative credentials
• Treatment modification
• Cannot attribute action to individual
Known software vulnerabilities in existing and new devices
• Reliability and stability issues
• Increased deployment cost to preserve patient safety
Unencrypted data transmission and service authorization flaws
• Healthcare record privacy and integrity
• Treatment modification
PwC | Medical device security – The transition from patient privacy to patient safety
Research– Internet exposure
9
3/3/2017
4
PwC | Medical device security – The transition from patient privacy to patient safety
Shodan search initial findings
10
Doing a search for anesthesia in Shodan and realized it was not an anesthesia workstation.
Located a public facing system with the Server Message Block (SMB) service open, and it was leaking intelligence about the healthcare organization’s entire network including medical devices.
PwC | Medical device security – The transition from patient privacy to patient safety
Initial healthcare organization discovery
11
Very large U.S. based healthcare system consisting of over 12,000 employees and over 3,000 physicians. Including large cardiovascular and neuroscience institutions.
Exposed intelligence on over 68,000 systems and provided direct attack vector to the systems.
Exposed numerous connected third-party organizations and healthcare systems.
PwC | Medical device security – The transition from patient privacy to patient safety
Did we only find one?
12
No. We found hundreds!!
Change the search term and many more come up. Potentially thousands if you include exposed third-party healthcare systems.
3/3/2017
5
PwC | Medical device security – The transition from patient privacy to patient safety
Let me paint the picture
13
Impact: System May Not Require Login
Impact:Electronic Medical Record Systems
PwC | Medical device security – The transition from patient privacy to patient safety
Getting a little warmer!
14
Impact:Pediatric Nuclear MedicineAnesthesia Systems
PwC | Medical device security – The transition from patient privacy to patient safety
Summary of devices inside organization
15
Anesthesia Systems – 21
Cardiology Systems – 488
Infusion Systems – 133
MRI – 97
PACS Systems – 323
Nuclear Medicine Systems – 67
3/3/2017
6
PwC | Medical device security – The transition from patient privacy to patient safety
Potential attacks – Physical
16
We know what type of systems and medical devices are inside the organization.
We know the healthcare organization and location.
We know the floor and office number.
We know if it has a lockout exemption.
PwC | Medical device security – The transition from patient privacy to patient safety
Potential attacks – Phishing/Pivot
17
We know what type of systems and medical devices are inside the organization.
We know the healthcare organization andemployee names.
We know the direct public Internet facing system is vulnerable to MS08-067 and is Windows XP. We know the hostname of all these devices.
We can create a custom payload to only target medical devices and systems with known vulnerabilities.
PwC | Medical device security – The transition from patient privacy to patient safety
Are attacks a reality?
18
3/3/2017
7
PwC | Medical device security – The transition from patient privacy to patient safety
Real world attacks – Honeypot research
19
Using known default login information for remote access?
Leveraging existing exploits for remote command execution?
Custom malware?
Malicious intent to interfere with the device (or worse, someone using the device)?
Campaigns against specific vendor devices?
What we were looking for…
PwC | Medical device security – The transition from patient privacy to patient safety
Real world attacks – The data
20
Data
Honeypots 10
Successful logins (SSH/Web): 55,416
Successful exploits (Majority is MS08-067) 24
Dropped malware samples 299
Top 3 Source Countries Netherlands, China, South Korea
HoneyCreds login 8
HoneyCred logins are unique to the honeypot ssh/web service, someone did some research.
PwC | Medical device security – The transition from patient privacy to patient safety
Real world attacks – Conclusion
21
What did the attacker do once he got in? Nothing
Did they realize they had root on a MRI machine? Probably not
Are there compromised medical devices calling back to a command and control server?
Absolutely
Did the command and control owners know what the information they are sitting on?
Didn’t appear so
3/3/2017
8
PwC | Medical device security – The transition from patient privacy to patient safety
Problem awareness
22
PwC | Medical device security – The transition from patient privacy to patient safety
Problem awareness
23
Medical devices are increasingly accessible due to the natureof healthcare1
HIPAA focuses on patient privacy, not patient safety.2
U.S. Food and Drug Administration does not validate cyber safety controls. 3
Malicious intent is not a prerequisite for adverse patient outcomes.4
PwC | Medical device security – The transition from patient privacy to patient safety
Technical properties
24
• All software has flaws.
• Connectivity increases potential interactions.
• A software-driven, connected medical device is a vulnerable, exposed one.
Lack of patient safety alignment in medical device cyber security practices
Exposed, vulnerable systems
3/3/2017
9
PwC | Medical device security – The transition from patient privacy to patient safety
A brief history of United States Food and Drug Administration (U.S. FDA) and medical device cybersecurity
FDA issues general warning on device cybersecurity based on “known vulnerabilities”
FDA issues draft guidance on
medical device cybersecurity
FDA releases final guidance on cybersecurity for networked medical
devices containing off-the-shelf software
January 2005
FDA issues first-ever warning about cybersecurity vulnerability of a device
FDA issues its final guidance document on including medical device cybersecurity
information in premarket applications
President Obama issues executive order on improving infrastructure cybersecurity
February 2013
June 2013June 2013
October 2014July 2015
FDA issues draft guidance document on post-approved monitoring of medical device cybersecurity
January 2016
December 2016
FDA issues final guidance document on post-approved monitoring and
remediation of medical device cybersecurity
25
PwC | Medical device security – The transition from patient privacy to patient safety
U.S. FDA premarket guidance for medical device cybersecurity
U.S. FDA asks that cybersecurity information be submitted as part of a device’s application for approval, including:
• Hazard analysis of cyber risks
• Controls to mitigate specific risks
• A plan of how to patch devices
• Controls to maintain device integrity
• Instructions on how to use related controls like antivirus software
26
PwC | Medical device security – The transition from patient privacy to patient safety
U.S. FDA’s post-market guidance for medical device cybersecurity
27
U.S. FDA highlights if the following criteria are met they will not enforce 806 reporting requirements:
1.) No serious adverse events are known to have
been caused by the vulnerability
2.) Fixes are made and users are notified within 60 days (Two 30 Day Periods Defined In
Requirements) of the discovery of the vulnerability
3.) The manufacturer is a member of an Information Sharing Analysis Organization (ISAO) and
has a coordinated disclosure process
3/3/2017
10
PwC | Medical device security – The transition from patient privacy to patient safety
Treatment plans
28
PwC | Medical device security – The transition from patient privacy to patient safety
A shift in how we think about medical technologies
29
BeforeDevices are connected to
patients physically
Data obtained from devices are stored on paper or locally
Devices are physical products
Care is hand-administered at a health care location
Physical access is needed to view health data
NowDevices are connected wirelessly to patients and other devices
Data obtained from devices are stored in the cloud
Devices include software and even databases of health information
Care is available to patients in the palm of their hand through apps
Health data can be accessed anywhere on earth
PwC | Medical device security – The transition from patient privacy to patient safety
A shift in how we think about regulating medical devicesTraditional considerations meet technology
30
Security Once a medical device is networked with other devices or the internet, is it still safe and effective?
QualityAfter approval, a device must be kept safe and effective through adherence to quality manufacturing standards established by FDA
Safety
Is a medical device safe for use in humans? Does it cause adverse events? Are its risks tolerable in relation to its benefits?
Efficacy Is a device effective for its given purpose? What is the magnitude of the effect? T
radit
ional
Evolv
ing
3/3/2017
11
PwC | Medical device security – The transition from patient privacy to patient safety
Interaction with the broader industry is also core to developing an overarching threat landscape, responding to Cybersecurity events, and developing more secure devices.
Company
• Regulatory Requirements: Must be implemented, assess compliance annually
• Guidance: Assess new guidance regularly
• Notification: Receive notification of adverse events
Federal / State Government
• Guidance / Industry Thought Leadership : Evaluate credibility and relevance to product architecture and security
• Device Testing: Provide Security Testing and Certifications for new and existing devices
Research / Academia / Laboratories
•Intended Use: Follow implementation and maintenance guidance
•Requirements: Convey business and security requirements to partners
•Vulnerabilities: Report discovered issues
IoT Device Manufacturers
• Remain Vigilant: Assess security bulletins and security news daily for relevance
• Get Involved: Attend industry conferences and events
Informal Knowledge
•IoT Security Lessons/Case Studies: Interface with peers discuss best practices, vulnerabilities, as well as common issues and roadblocks
Partner / Peer Organizations
• Analyze Security: Review and validate vendor security practices
• Vulnerabilities: Report discovered issues
• Requirements: Convey business, security, and privacy requirements
Key Software & Service Vendors
Consortiums &
Information Sharing
and Analysis
Organizations
(ISAOs)
34
PwC | Medical device security – The transition from patient privacy to patient safety
A security centric, risk based product development process is core to the deployment of a secure effective medical device…
02Protected Health Information Aware
Product design must be equipped with handling patient sensitive information to meet both HIPAA and U.S. FDA regulations.
04Product Safety
Product design must incorporate safety features that meet the regulatory requirements such as alarm systems to
protect users and patients from unanticipated adverse situations
Medical Device Development
Secure Product Architecture
Product design must protect the information & the device against any threats posed by
external circumstances or by other
connected devices.
03Risk Assessment and
ManagementProduct design must enable identification
and management of risk through the product development lifecycle.
01
32
PwC | Medical device security – The transition from patient privacy to patient safety
To meet the current regulatory requirements and protect the device from cybersecurity attacks, it is critical to embed security within the lifecycle of the product and in risk management considerations…
Product DesignRequirements
ProductLaunch
Pre-market
Risk Management
Lifecycle
Inevitable need to explore unidentifiable
risks including foreseeable tampering
Established mechanism to feed post
market monitoring data into next-gen device design
Continuous compliance with HIPAA and
other privacy regulations
IT compliance function with expertise to
evaluate compliance with various regulations
Effective security and data standards with
an ability to rapidly respond to emerging threats
Risk Management Considerations
33
3/3/2017
12
PwC | Medical device security – The transition from patient privacy to patient safety
Medical Device Cyber Security Approach
Preparation for regulatory audits and assess the health of the overall privacy and security programs
Comprehensive approach to identify and mitigate cybersecurity risks and evaluate the effectiveness of the Medical IoT cybersecurity program.
Develop the Medical IoT cybersecurity strategy in accordance with business, operational, risk and compliance needs. Design the program operating model, identify the resources to carry out the day to day activities and provide architecture and implementation support.
Strategy Execution, Design, and Implementation
Integrated Medical IoT and Enterprise Security Strategy
Medical IoTGovernance and Program
Development
Data Flow Mapping, Identification, Classification,
Use and Protection
Software/Systems Development Lifecycle (SDLC) Process
Enhancement
Control Profile DevelopmentMedical IoT Risk Management
Policy Development and Alignment
Medical IoT Vendor Risk Management
Medical IoT Incident Response Playbook Development
Information Risk and Incident Management
Mock Regulatory AuditsMedical IoT Cybersecurity Risk
AssessmentsRegulatory Framework
Alignment and ComplianceMedical IoT Risk Assessment
Process Development
Regulatory Compliance
PwC | Medical device security – The transition from patient privacy to patient safety
Medical Device Cybersecurity Framework
Medical IoTSecurityProgram
Medical IoTGovernance
NetworkSecurity
MedicalIT-RiskMgmt.
AssetMgmt.
DeviceSecurity
ConfigurationMgmt.
1. Medical IoT Governance� Development of Governance Model with clearly
yeah established roles, responsibilities, and FTE� Information Sharing and Analysis Organization
(ISAO) Development and Participation
� Medical IoT Security Strategy� Medical IoT Risk Management Policy
� Medical IoT Minimum Security Baseline(MSB)
6. Asset Management� Device Inventory
� Device Attribute Collection� Asset Management Policy and
Process
� Secure Device Procurement Processes
5. Device Security� Medical IoT Device Encryption
� Secure Device Access Control and
Authentication
� Wireless Security Controls
2. Network Security� Network Segmentation and/or Network Access
Control (NAC) for critical medical IoT devices� Logging and Monitoring for Malicious Activity� Forensic Toolkit for Intrusion Analysis
� Secure Remote Access� Secure Medical IoT Device Network Architecture
3. Medical IT Risk Management� Medical IoT Device Vendor Risk
Management Program� Device Risk Profiling� Control Profile Development
� Secure Disposal Processes� Physical Device Security
� Device Risk Assessment Tool Development
4. Configuration Management� Patch Management Processes
� Software Version Control Processes� Change Management Processes� Logging and Monitoring for configuration
changes
The following diagram outlines the key components of a Medical Device Cybersecurity Framework, including roles and responsibilities for management of security risks:
PwC | Medical device security – The transition from patient privacy to patient safety
Invest in personnel and processes
36
Companies should establish and support cybersecurity programs to support devices throughout their lifecycles
Established information-sharing processes –including ISAOs – may lead to more and better disclosures.
Cybersecurity experts should be hired or third-parties consulted to vet cybersecurity information.
Companies should consider how to best engage with the cybersecurity community as a strategic advantage.
3/3/2017
13
PwC | Medical device security – The transition from patient privacy to patient safety
Support can lead to opportunity
37
Device companies can become essential partners to healthcare providers by helping them support and secure their devices and networks.
Device companies can benefit by giving providers a level of comfort and assurance about product security, potentially leading to increased sales, and insight into how their devices are used and misused, benefiting future device development.
Scott ErvenManaging Director, Healthcare CybersecurityE: [email protected]
Thank you
Contact